- By Kim Zetter
Oak Ridge National Laboratory was hit by a targeted hacker attack in 2011 that forced the lab to take all its computers offline. Photo: Oak Ridge National Laboratory
The attackers chose their moment well.
On Apr. 7, 2011, five days before Microsoft patched a critical zero-day vulnerability in Internet Explorer that had been publicly disclosed three months earlier on a security mailing list, unknown attackers launched a spear-phishing attack against workers at the Oak Ridge National Laboratory in Tennessee.
The lab, which is funded by the U.S. Department of Energy, conducts classified and unclassified energy and national security work for the federal government.
The e-mail, purporting to come from the lab’s human resources department, went to about 530 workers, or 11 percent of the lab’s workforce.
The cleverly crafted missive included a link to a malicious webpage, where workers could get information about employee benefits. But instead of getting facts about a health plan or retirement fund, workers who visited the site using Internet Explorer got bit with malicious code that downloaded silently to their machines.
Although the lab detected the spear-phishing attack soon after it began, administrators weren’t quick enough to stop 57 workers from clicking on the malicious link. Luckily, only two employee machines were infected with the code. But that was enough for the intruders to get onto the lab’s network and begin siphoning data. Four days after the e-mails arrived, administrators spotted suspicious traffic leaving a server.
Only a few megabytes of stolen data got out, but other servers soon lit up with malicious activity. So administrators took the drastic step of severing all the lab’s computers from the internet while they investigated.
Oak Ridge had become the newest member of a club to which no one wants to belong – a nonexclusive society that includes Fortune 500 companies protecting invaluable intellectual property, law firms managing sensitive litigation and top security firms that everyone expected should have been shielded from such incursions. Even His Holiness the Dalai Lama has been the victim of an attack.
Last year, antivirus firm McAfee identified some 70 targets of an espionage hack dubbed Operation Shady RAT that hit defense contractors, government agencies and others in multiple countries. The intruders had source code, national secrets and legal contracts in their sights.
Source code and other intellectual property was also the target of hackers who breached Google and 33 other firms in 2010. In a separate attack, online spies siphoned secrets for the Pentagon’s $300 billion Joint Strike Fighter project.
Then, last year, the myth of computer security was struck a fatal blow when intruders breached RSA Security, one of the world’s leading security companies that also hosts the annual RSA security conference, an august and massive confab for security vendors. The hackers stole data related to the company’s SecurID two-factor authentication systems, RSA’s flagship product that is used by millions of corporate and government workers to securely log into their computers.
Fortunately, the theft proved to be less effective for breaking into other systems than the intruders probably hoped, but the intrusion underscored the fact that even the keepers of the keys cannot keep attackers out.
AND DON”T MISS THIS ONE!
- By Kim Zetter
The FBI has been lobbying top internet companies like Yahoo and Google to support a proposal that would force them to provide backdoors for government surveillance, according to CNET.
The Bureau has been quietly meeting with representatives of these companies, as well as Microsoft (which owns Hotmail and Skype), Facebook and others to argue for a legislative proposal, drafted by the FBI, that would require social-networking sites and VoIP, instant messaging and e-mail providers to alter their code to make their products wiretap-friendly.
The FBI has previously complained to Congress about the so-called “Going Dark” problem – the difficulty of doing effective wiretap surveillance as more communications have moved from traditional telephone services to internet service companies.
Under the Communications Assistance for Law Enforcement Act, or CALEA, passed in 1994, telecommunications providers are required to make their systems wiretap-friendly. The Federal Communications Commission extended CALEA in 2004 to apply to broadband providers like ISPs and colleges, but web companies are not covered by the law.
CNET reports that in addition to this push from the FBI, the Federal Communications Commission may be looking at reinterpreting CALEA to demand that video and non-telephone-replacement VoIP products such as Skype and Xbox Live be modified to include backdoors that allow FBI surveillance.